diff options
| author | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
| commit | dc05a564ab1b3a1957927da50912964b61f7da69 (patch) | |
| tree | 489905675f9954e5bf160a2eff6ea6ce93472d61 /net/ipv4 | |
| parent | be39ee11cd1f67b51ac8e71d177a981eb34f2ab2 (diff) | |
| parent | e2fe35c17fed62d4ab5038fa9bc489e967ff8416 (diff) | |
Merge branch 'master' of git://dev.medozas.de/linux
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 44 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 48 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_filter.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 12 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 6 | ||||
| -rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_rule.c | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 8 |
9 files changed, 88 insertions, 56 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 7505dff4ffdf..7bc11ffbb845 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
| @@ -8,7 +8,7 @@ | |||
| 8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) | 8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) |
| 9 | * | 9 | * |
| 10 | */ | 10 | */ |
| 11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
| 12 | #include <linux/kernel.h> | 12 | #include <linux/kernel.h> |
| 13 | #include <linux/skbuff.h> | 13 | #include <linux/skbuff.h> |
| 14 | #include <linux/netdevice.h> | 14 | #include <linux/netdevice.h> |
| @@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
| 341 | } | 341 | } |
| 342 | 342 | ||
| 343 | /* All zeroes == unconditional rule. */ | 343 | /* All zeroes == unconditional rule. */ |
| 344 | static inline int unconditional(const struct arpt_arp *arp) | 344 | static inline bool unconditional(const struct arpt_arp *arp) |
| 345 | { | 345 | { |
| 346 | unsigned int i; | 346 | static const struct arpt_arp uncond; |
| 347 | 347 | ||
| 348 | for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++) | 348 | return memcmp(arp, &uncond, sizeof(uncond)) == 0; |
| 349 | if (((__u32 *)arp)[i]) | ||
| 350 | return 0; | ||
| 351 | |||
| 352 | return 1; | ||
| 353 | } | 349 | } |
| 354 | 350 | ||
| 355 | /* Figures out from what hook each rule can be called: returns 0 if | 351 | /* Figures out from what hook each rule can be called: returns 0 if |
| @@ -537,12 +533,28 @@ out: | |||
| 537 | return ret; | 533 | return ret; |
| 538 | } | 534 | } |
| 539 | 535 | ||
| 536 | static bool check_underflow(struct arpt_entry *e) | ||
| 537 | { | ||
| 538 | const struct arpt_entry_target *t; | ||
| 539 | unsigned int verdict; | ||
| 540 | |||
| 541 | if (!unconditional(&e->arp)) | ||
| 542 | return false; | ||
| 543 | t = arpt_get_target(e); | ||
| 544 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
| 545 | return false; | ||
| 546 | verdict = ((struct arpt_standard_target *)t)->verdict; | ||
| 547 | verdict = -verdict - 1; | ||
| 548 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
| 549 | } | ||
| 550 | |||
| 540 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 551 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
| 541 | struct xt_table_info *newinfo, | 552 | struct xt_table_info *newinfo, |
| 542 | unsigned char *base, | 553 | unsigned char *base, |
| 543 | unsigned char *limit, | 554 | unsigned char *limit, |
| 544 | const unsigned int *hook_entries, | 555 | const unsigned int *hook_entries, |
| 545 | const unsigned int *underflows, | 556 | const unsigned int *underflows, |
| 557 | unsigned int valid_hooks, | ||
| 546 | unsigned int *i) | 558 | unsigned int *i) |
| 547 | { | 559 | { |
| 548 | unsigned int h; | 560 | unsigned int h; |
| @@ -562,15 +574,21 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
| 562 | 574 | ||
| 563 | /* Check hooks & underflows */ | 575 | /* Check hooks & underflows */ |
| 564 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { | 576 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { |
| 577 | if (!(valid_hooks & (1 << h))) | ||
| 578 | continue; | ||
| 565 | if ((unsigned char *)e - base == hook_entries[h]) | 579 | if ((unsigned char *)e - base == hook_entries[h]) |
| 566 | newinfo->hook_entry[h] = hook_entries[h]; | 580 | newinfo->hook_entry[h] = hook_entries[h]; |
| 567 | if ((unsigned char *)e - base == underflows[h]) | 581 | if ((unsigned char *)e - base == underflows[h]) { |
| 582 | if (!check_underflow(e)) { | ||
| 583 | pr_err("Underflows must be unconditional and " | ||
| 584 | "use the STANDARD target with " | ||
| 585 | "ACCEPT/DROP\n"); | ||
| 586 | return -EINVAL; | ||
| 587 | } | ||
| 568 | newinfo->underflow[h] = underflows[h]; | 588 | newinfo->underflow[h] = underflows[h]; |
| 589 | } | ||
| 569 | } | 590 | } |
| 570 | 591 | ||
| 571 | /* FIXME: underflows must be unconditional, standard verdicts | ||
| 572 | < 0 (not ARPT_RETURN). --RR */ | ||
| 573 | |||
| 574 | /* Clear counters and comefrom */ | 592 | /* Clear counters and comefrom */ |
| 575 | e->counters = ((struct xt_counters) { 0, 0 }); | 593 | e->counters = ((struct xt_counters) { 0, 0 }); |
| 576 | e->comefrom = 0; | 594 | e->comefrom = 0; |
| @@ -630,7 +648,7 @@ static int translate_table(const char *name, | |||
| 630 | newinfo, | 648 | newinfo, |
| 631 | entry0, | 649 | entry0, |
| 632 | entry0 + size, | 650 | entry0 + size, |
| 633 | hook_entries, underflows, &i); | 651 | hook_entries, underflows, valid_hooks, &i); |
| 634 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 652 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
| 635 | if (ret != 0) | 653 | if (ret != 0) |
| 636 | return ret; | 654 | return ret; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index fdefae6b5dfc..0b43fd7ca04a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
| 9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
| 10 | */ | 10 | */ |
| 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
| 11 | #include <linux/cache.h> | 12 | #include <linux/cache.h> |
| 12 | #include <linux/capability.h> | 13 | #include <linux/capability.h> |
| 13 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
| @@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset) | |||
| 190 | 191 | ||
| 191 | /* All zeroes == unconditional rule. */ | 192 | /* All zeroes == unconditional rule. */ |
| 192 | /* Mildly perf critical (only if packet tracing is on) */ | 193 | /* Mildly perf critical (only if packet tracing is on) */ |
| 193 | static inline int | 194 | static inline bool unconditional(const struct ipt_ip *ip) |
| 194 | unconditional(const struct ipt_ip *ip) | ||
| 195 | { | 195 | { |
| 196 | unsigned int i; | 196 | static const struct ipt_ip uncond; |
| 197 | |||
| 198 | for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++) | ||
| 199 | if (((__u32 *)ip)[i]) | ||
| 200 | return 0; | ||
| 201 | 197 | ||
| 202 | return 1; | 198 | return memcmp(ip, &uncond, sizeof(uncond)) == 0; |
| 203 | #undef FWINV | 199 | #undef FWINV |
| 204 | } | 200 | } |
| 205 | 201 | ||
| @@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb, | |||
| 315 | 311 | ||
| 316 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 312 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
| 317 | const struct iphdr *ip; | 313 | const struct iphdr *ip; |
| 318 | u_int16_t datalen; | ||
| 319 | bool hotdrop = false; | 314 | bool hotdrop = false; |
| 320 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 315 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
| 321 | unsigned int verdict = NF_DROP; | 316 | unsigned int verdict = NF_DROP; |
| @@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb, | |||
| 328 | 323 | ||
| 329 | /* Initialization */ | 324 | /* Initialization */ |
| 330 | ip = ip_hdr(skb); | 325 | ip = ip_hdr(skb); |
| 331 | datalen = skb->len - ip->ihl * 4; | ||
| 332 | indev = in ? in->name : nulldevname; | 326 | indev = in ? in->name : nulldevname; |
| 333 | outdev = out ? out->name : nulldevname; | 327 | outdev = out ? out->name : nulldevname; |
| 334 | /* We handle fragments by dealing with the first fragment as | 328 | /* We handle fragments by dealing with the first fragment as |
| @@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb, | |||
| 427 | #endif | 421 | #endif |
| 428 | /* Target might have changed stuff. */ | 422 | /* Target might have changed stuff. */ |
| 429 | ip = ip_hdr(skb); | 423 | ip = ip_hdr(skb); |
| 430 | datalen = skb->len - ip->ihl * 4; | ||
| 431 | |||
| 432 | if (verdict == IPT_CONTINUE) | 424 | if (verdict == IPT_CONTINUE) |
| 433 | e = ipt_next_entry(e); | 425 | e = ipt_next_entry(e); |
| 434 | else | 426 | else |
| @@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
| 716 | return ret; | 708 | return ret; |
| 717 | } | 709 | } |
| 718 | 710 | ||
| 711 | static bool check_underflow(struct ipt_entry *e) | ||
| 712 | { | ||
| 713 | const struct ipt_entry_target *t; | ||
| 714 | unsigned int verdict; | ||
| 715 | |||
| 716 | if (!unconditional(&e->ip)) | ||
| 717 | return false; | ||
| 718 | t = ipt_get_target(e); | ||
| 719 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
| 720 | return false; | ||
| 721 | verdict = ((struct ipt_standard_target *)t)->verdict; | ||
| 722 | verdict = -verdict - 1; | ||
| 723 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
| 724 | } | ||
| 725 | |||
| 719 | static int | 726 | static int |
| 720 | check_entry_size_and_hooks(struct ipt_entry *e, | 727 | check_entry_size_and_hooks(struct ipt_entry *e, |
| 721 | struct xt_table_info *newinfo, | 728 | struct xt_table_info *newinfo, |
| @@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 723 | unsigned char *limit, | 730 | unsigned char *limit, |
| 724 | const unsigned int *hook_entries, | 731 | const unsigned int *hook_entries, |
| 725 | const unsigned int *underflows, | 732 | const unsigned int *underflows, |
| 733 | unsigned int valid_hooks, | ||
| 726 | unsigned int *i) | 734 | unsigned int *i) |
| 727 | { | 735 | { |
| 728 | unsigned int h; | 736 | unsigned int h; |
| @@ -742,15 +750,21 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 742 | 750 | ||
| 743 | /* Check hooks & underflows */ | 751 | /* Check hooks & underflows */ |
| 744 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 752 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
| 753 | if (!(valid_hooks & (1 << h))) | ||
| 754 | continue; | ||
| 745 | if ((unsigned char *)e - base == hook_entries[h]) | 755 | if ((unsigned char *)e - base == hook_entries[h]) |
| 746 | newinfo->hook_entry[h] = hook_entries[h]; | 756 | newinfo->hook_entry[h] = hook_entries[h]; |
| 747 | if ((unsigned char *)e - base == underflows[h]) | 757 | if ((unsigned char *)e - base == underflows[h]) { |
| 758 | if (!check_underflow(e)) { | ||
| 759 | pr_err("Underflows must be unconditional and " | ||
| 760 | "use the STANDARD target with " | ||
| 761 | "ACCEPT/DROP\n"); | ||
| 762 | return -EINVAL; | ||
| 763 | } | ||
| 748 | newinfo->underflow[h] = underflows[h]; | 764 | newinfo->underflow[h] = underflows[h]; |
| 765 | } | ||
| 749 | } | 766 | } |
| 750 | 767 | ||
| 751 | /* FIXME: underflows must be unconditional, standard verdicts | ||
| 752 | < 0 (not IPT_RETURN). --RR */ | ||
| 753 | |||
| 754 | /* Clear counters and comefrom */ | 768 | /* Clear counters and comefrom */ |
| 755 | e->counters = ((struct xt_counters) { 0, 0 }); | 769 | e->counters = ((struct xt_counters) { 0, 0 }); |
| 756 | e->comefrom = 0; | 770 | e->comefrom = 0; |
| @@ -813,7 +827,7 @@ translate_table(const char *name, | |||
| 813 | newinfo, | 827 | newinfo, |
| 814 | entry0, | 828 | entry0, |
| 815 | entry0 + size, | 829 | entry0 + size, |
| 816 | hook_entries, underflows, &i); | 830 | hook_entries, underflows, valid_hooks, &i); |
| 817 | if (ret != 0) | 831 | if (ret != 0) |
| 818 | return ret; | 832 | return ret; |
| 819 | 833 | ||
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index c30a969724f8..97dbd94a8e37 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
| @@ -57,7 +57,7 @@ static struct xt_table packet_filter = { | |||
| 57 | .name = "filter", | 57 | .name = "filter", |
| 58 | .valid_hooks = FILTER_VALID_HOOKS, | 58 | .valid_hooks = FILTER_VALID_HOOKS, |
| 59 | .me = THIS_MODULE, | 59 | .me = THIS_MODULE, |
| 60 | .af = AF_INET, | 60 | .af = NFPROTO_IPV4, |
| 61 | }; | 61 | }; |
| 62 | 62 | ||
| 63 | /* The work comes in here from netfilter.c. */ | 63 | /* The work comes in here from netfilter.c. */ |
| @@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
| 102 | { | 102 | { |
| 103 | .hook = ipt_local_in_hook, | 103 | .hook = ipt_local_in_hook, |
| 104 | .owner = THIS_MODULE, | 104 | .owner = THIS_MODULE, |
| 105 | .pf = PF_INET, | 105 | .pf = NFPROTO_IPV4, |
| 106 | .hooknum = NF_INET_LOCAL_IN, | 106 | .hooknum = NF_INET_LOCAL_IN, |
| 107 | .priority = NF_IP_PRI_FILTER, | 107 | .priority = NF_IP_PRI_FILTER, |
| 108 | }, | 108 | }, |
| 109 | { | 109 | { |
| 110 | .hook = ipt_hook, | 110 | .hook = ipt_hook, |
| 111 | .owner = THIS_MODULE, | 111 | .owner = THIS_MODULE, |
| 112 | .pf = PF_INET, | 112 | .pf = NFPROTO_IPV4, |
| 113 | .hooknum = NF_INET_FORWARD, | 113 | .hooknum = NF_INET_FORWARD, |
| 114 | .priority = NF_IP_PRI_FILTER, | 114 | .priority = NF_IP_PRI_FILTER, |
| 115 | }, | 115 | }, |
| 116 | { | 116 | { |
| 117 | .hook = ipt_local_out_hook, | 117 | .hook = ipt_local_out_hook, |
| 118 | .owner = THIS_MODULE, | 118 | .owner = THIS_MODULE, |
| 119 | .pf = PF_INET, | 119 | .pf = NFPROTO_IPV4, |
| 120 | .hooknum = NF_INET_LOCAL_OUT, | 120 | .hooknum = NF_INET_LOCAL_OUT, |
| 121 | .priority = NF_IP_PRI_FILTER, | 121 | .priority = NF_IP_PRI_FILTER, |
| 122 | }, | 122 | }, |
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 4087614d9519..28647f10aa7e 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
| @@ -68,7 +68,7 @@ static struct xt_table packet_mangler = { | |||
| 68 | .name = "mangle", | 68 | .name = "mangle", |
| 69 | .valid_hooks = MANGLE_VALID_HOOKS, | 69 | .valid_hooks = MANGLE_VALID_HOOKS, |
| 70 | .me = THIS_MODULE, | 70 | .me = THIS_MODULE, |
| 71 | .af = AF_INET, | 71 | .af = NFPROTO_IPV4, |
| 72 | }; | 72 | }; |
| 73 | 73 | ||
| 74 | /* The work comes in here from netfilter.c. */ | 74 | /* The work comes in here from netfilter.c. */ |
| @@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
| 162 | { | 162 | { |
| 163 | .hook = ipt_pre_routing_hook, | 163 | .hook = ipt_pre_routing_hook, |
| 164 | .owner = THIS_MODULE, | 164 | .owner = THIS_MODULE, |
| 165 | .pf = PF_INET, | 165 | .pf = NFPROTO_IPV4, |
| 166 | .hooknum = NF_INET_PRE_ROUTING, | 166 | .hooknum = NF_INET_PRE_ROUTING, |
| 167 | .priority = NF_IP_PRI_MANGLE, | 167 | .priority = NF_IP_PRI_MANGLE, |
| 168 | }, | 168 | }, |
| 169 | { | 169 | { |
| 170 | .hook = ipt_local_in_hook, | 170 | .hook = ipt_local_in_hook, |
| 171 | .owner = THIS_MODULE, | 171 | .owner = THIS_MODULE, |
| 172 | .pf = PF_INET, | 172 | .pf = NFPROTO_IPV4, |
| 173 | .hooknum = NF_INET_LOCAL_IN, | 173 | .hooknum = NF_INET_LOCAL_IN, |
| 174 | .priority = NF_IP_PRI_MANGLE, | 174 | .priority = NF_IP_PRI_MANGLE, |
| 175 | }, | 175 | }, |
| 176 | { | 176 | { |
| 177 | .hook = ipt_forward_hook, | 177 | .hook = ipt_forward_hook, |
| 178 | .owner = THIS_MODULE, | 178 | .owner = THIS_MODULE, |
| 179 | .pf = PF_INET, | 179 | .pf = NFPROTO_IPV4, |
| 180 | .hooknum = NF_INET_FORWARD, | 180 | .hooknum = NF_INET_FORWARD, |
| 181 | .priority = NF_IP_PRI_MANGLE, | 181 | .priority = NF_IP_PRI_MANGLE, |
| 182 | }, | 182 | }, |
| 183 | { | 183 | { |
| 184 | .hook = ipt_local_hook, | 184 | .hook = ipt_local_hook, |
| 185 | .owner = THIS_MODULE, | 185 | .owner = THIS_MODULE, |
| 186 | .pf = PF_INET, | 186 | .pf = NFPROTO_IPV4, |
| 187 | .hooknum = NF_INET_LOCAL_OUT, | 187 | .hooknum = NF_INET_LOCAL_OUT, |
| 188 | .priority = NF_IP_PRI_MANGLE, | 188 | .priority = NF_IP_PRI_MANGLE, |
| 189 | }, | 189 | }, |
| 190 | { | 190 | { |
| 191 | .hook = ipt_post_routing_hook, | 191 | .hook = ipt_post_routing_hook, |
| 192 | .owner = THIS_MODULE, | 192 | .owner = THIS_MODULE, |
| 193 | .pf = PF_INET, | 193 | .pf = NFPROTO_IPV4, |
| 194 | .hooknum = NF_INET_POST_ROUTING, | 194 | .hooknum = NF_INET_POST_ROUTING, |
| 195 | .priority = NF_IP_PRI_MANGLE, | 195 | .priority = NF_IP_PRI_MANGLE, |
| 196 | }, | 196 | }, |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index e5356da1fb54..494784c999eb 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
| @@ -40,7 +40,7 @@ static struct xt_table packet_raw = { | |||
| 40 | .name = "raw", | 40 | .name = "raw", |
| 41 | .valid_hooks = RAW_VALID_HOOKS, | 41 | .valid_hooks = RAW_VALID_HOOKS, |
| 42 | .me = THIS_MODULE, | 42 | .me = THIS_MODULE, |
| 43 | .af = AF_INET, | 43 | .af = NFPROTO_IPV4, |
| 44 | }; | 44 | }; |
| 45 | 45 | ||
| 46 | /* The work comes in here from netfilter.c. */ | 46 | /* The work comes in here from netfilter.c. */ |
| @@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook, | |||
| 74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
| 75 | { | 75 | { |
| 76 | .hook = ipt_hook, | 76 | .hook = ipt_hook, |
| 77 | .pf = PF_INET, | 77 | .pf = NFPROTO_IPV4, |
| 78 | .hooknum = NF_INET_PRE_ROUTING, | 78 | .hooknum = NF_INET_PRE_ROUTING, |
| 79 | .priority = NF_IP_PRI_RAW, | 79 | .priority = NF_IP_PRI_RAW, |
| 80 | .owner = THIS_MODULE, | 80 | .owner = THIS_MODULE, |
| 81 | }, | 81 | }, |
| 82 | { | 82 | { |
| 83 | .hook = ipt_local_hook, | 83 | .hook = ipt_local_hook, |
| 84 | .pf = PF_INET, | 84 | .pf = NFPROTO_IPV4, |
| 85 | .hooknum = NF_INET_LOCAL_OUT, | 85 | .hooknum = NF_INET_LOCAL_OUT, |
| 86 | .priority = NF_IP_PRI_RAW, | 86 | .priority = NF_IP_PRI_RAW, |
| 87 | .owner = THIS_MODULE, | 87 | .owner = THIS_MODULE, |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 29ab630f240a..8804e1a0f915 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
| @@ -61,7 +61,7 @@ static struct xt_table security_table = { | |||
| 61 | .name = "security", | 61 | .name = "security", |
| 62 | .valid_hooks = SECURITY_VALID_HOOKS, | 62 | .valid_hooks = SECURITY_VALID_HOOKS, |
| 63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
| 64 | .af = AF_INET, | 64 | .af = NFPROTO_IPV4, |
| 65 | }; | 65 | }; |
| 66 | 66 | ||
| 67 | static unsigned int | 67 | static unsigned int |
| @@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
| 105 | { | 105 | { |
| 106 | .hook = ipt_local_in_hook, | 106 | .hook = ipt_local_in_hook, |
| 107 | .owner = THIS_MODULE, | 107 | .owner = THIS_MODULE, |
| 108 | .pf = PF_INET, | 108 | .pf = NFPROTO_IPV4, |
| 109 | .hooknum = NF_INET_LOCAL_IN, | 109 | .hooknum = NF_INET_LOCAL_IN, |
| 110 | .priority = NF_IP_PRI_SECURITY, | 110 | .priority = NF_IP_PRI_SECURITY, |
| 111 | }, | 111 | }, |
| 112 | { | 112 | { |
| 113 | .hook = ipt_forward_hook, | 113 | .hook = ipt_forward_hook, |
| 114 | .owner = THIS_MODULE, | 114 | .owner = THIS_MODULE, |
| 115 | .pf = PF_INET, | 115 | .pf = NFPROTO_IPV4, |
| 116 | .hooknum = NF_INET_FORWARD, | 116 | .hooknum = NF_INET_FORWARD, |
| 117 | .priority = NF_IP_PRI_SECURITY, | 117 | .priority = NF_IP_PRI_SECURITY, |
| 118 | }, | 118 | }, |
| 119 | { | 119 | { |
| 120 | .hook = ipt_local_out_hook, | 120 | .hook = ipt_local_out_hook, |
| 121 | .owner = THIS_MODULE, | 121 | .owner = THIS_MODULE, |
| 122 | .pf = PF_INET, | 122 | .pf = NFPROTO_IPV4, |
| 123 | .hooknum = NF_INET_LOCAL_OUT, | 123 | .hooknum = NF_INET_LOCAL_OUT, |
| 124 | .priority = NF_IP_PRI_SECURITY, | 124 | .priority = NF_IP_PRI_SECURITY, |
| 125 | }, | 125 | }, |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 05a9bc8df536..9ac2fdc36ecc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
| @@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = { | |||
| 158 | { | 158 | { |
| 159 | .hook = ipv4_conntrack_in, | 159 | .hook = ipv4_conntrack_in, |
| 160 | .owner = THIS_MODULE, | 160 | .owner = THIS_MODULE, |
| 161 | .pf = PF_INET, | 161 | .pf = NFPROTO_IPV4, |
| 162 | .hooknum = NF_INET_PRE_ROUTING, | 162 | .hooknum = NF_INET_PRE_ROUTING, |
| 163 | .priority = NF_IP_PRI_CONNTRACK, | 163 | .priority = NF_IP_PRI_CONNTRACK, |
| 164 | }, | 164 | }, |
| 165 | { | 165 | { |
| 166 | .hook = ipv4_conntrack_local, | 166 | .hook = ipv4_conntrack_local, |
| 167 | .owner = THIS_MODULE, | 167 | .owner = THIS_MODULE, |
| 168 | .pf = PF_INET, | 168 | .pf = NFPROTO_IPV4, |
| 169 | .hooknum = NF_INET_LOCAL_OUT, | 169 | .hooknum = NF_INET_LOCAL_OUT, |
| 170 | .priority = NF_IP_PRI_CONNTRACK, | 170 | .priority = NF_IP_PRI_CONNTRACK, |
| 171 | }, | 171 | }, |
| 172 | { | 172 | { |
| 173 | .hook = ipv4_confirm, | 173 | .hook = ipv4_confirm, |
| 174 | .owner = THIS_MODULE, | 174 | .owner = THIS_MODULE, |
| 175 | .pf = PF_INET, | 175 | .pf = NFPROTO_IPV4, |
| 176 | .hooknum = NF_INET_POST_ROUTING, | 176 | .hooknum = NF_INET_POST_ROUTING, |
| 177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
| 178 | }, | 178 | }, |
| 179 | { | 179 | { |
| 180 | .hook = ipv4_confirm, | 180 | .hook = ipv4_confirm, |
| 181 | .owner = THIS_MODULE, | 181 | .owner = THIS_MODULE, |
| 182 | .pf = PF_INET, | 182 | .pf = NFPROTO_IPV4, |
| 183 | .hooknum = NF_INET_LOCAL_IN, | 183 | .hooknum = NF_INET_LOCAL_IN, |
| 184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
| 185 | }, | 185 | }, |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 6348a793936e..6448a9b7d6f0 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
| @@ -62,7 +62,7 @@ static struct xt_table nat_table = { | |||
| 62 | .name = "nat", | 62 | .name = "nat", |
| 63 | .valid_hooks = NAT_VALID_HOOKS, | 63 | .valid_hooks = NAT_VALID_HOOKS, |
| 64 | .me = THIS_MODULE, | 64 | .me = THIS_MODULE, |
| 65 | .af = AF_INET, | 65 | .af = NFPROTO_IPV4, |
| 66 | }; | 66 | }; |
| 67 | 67 | ||
| 68 | /* Source NAT */ | 68 | /* Source NAT */ |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 5567bd0d0750..5f41d017ddd8 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
| @@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
| 251 | { | 251 | { |
| 252 | .hook = nf_nat_in, | 252 | .hook = nf_nat_in, |
| 253 | .owner = THIS_MODULE, | 253 | .owner = THIS_MODULE, |
| 254 | .pf = PF_INET, | 254 | .pf = NFPROTO_IPV4, |
| 255 | .hooknum = NF_INET_PRE_ROUTING, | 255 | .hooknum = NF_INET_PRE_ROUTING, |
| 256 | .priority = NF_IP_PRI_NAT_DST, | 256 | .priority = NF_IP_PRI_NAT_DST, |
| 257 | }, | 257 | }, |
| @@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
| 259 | { | 259 | { |
| 260 | .hook = nf_nat_out, | 260 | .hook = nf_nat_out, |
| 261 | .owner = THIS_MODULE, | 261 | .owner = THIS_MODULE, |
| 262 | .pf = PF_INET, | 262 | .pf = NFPROTO_IPV4, |
| 263 | .hooknum = NF_INET_POST_ROUTING, | 263 | .hooknum = NF_INET_POST_ROUTING, |
| 264 | .priority = NF_IP_PRI_NAT_SRC, | 264 | .priority = NF_IP_PRI_NAT_SRC, |
| 265 | }, | 265 | }, |
| @@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
| 267 | { | 267 | { |
| 268 | .hook = nf_nat_local_fn, | 268 | .hook = nf_nat_local_fn, |
| 269 | .owner = THIS_MODULE, | 269 | .owner = THIS_MODULE, |
| 270 | .pf = PF_INET, | 270 | .pf = NFPROTO_IPV4, |
| 271 | .hooknum = NF_INET_LOCAL_OUT, | 271 | .hooknum = NF_INET_LOCAL_OUT, |
| 272 | .priority = NF_IP_PRI_NAT_DST, | 272 | .priority = NF_IP_PRI_NAT_DST, |
| 273 | }, | 273 | }, |
| @@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
| 275 | { | 275 | { |
| 276 | .hook = nf_nat_fn, | 276 | .hook = nf_nat_fn, |
| 277 | .owner = THIS_MODULE, | 277 | .owner = THIS_MODULE, |
| 278 | .pf = PF_INET, | 278 | .pf = NFPROTO_IPV4, |
| 279 | .hooknum = NF_INET_LOCAL_IN, | 279 | .hooknum = NF_INET_LOCAL_IN, |
| 280 | .priority = NF_IP_PRI_NAT_SRC, | 280 | .priority = NF_IP_PRI_NAT_SRC, |
| 281 | }, | 281 | }, |